Hello,
I am trying to configure an LDAP proxy towards 2 LDAP targets and I'm using the meta backend as follows:
database meta suffix ou=A,o=B,c=C uri ldap://server1/ou=S1,ou=A,o=B,c=C uri ldap://server2/ou=S2,ou=A,o=B,c=C
It is working fine except for one point : I'm unable to peform a base search on my root node "ou=A,o=B,c=C". It always respond with error code 32 (no such object).
Reading the man page slapd-meta, I understand this is the normal behaviour. But is there a mean to make this root suffix becoming à concrete node ? This point is mandatory for me as many of my client applications are looking for this entry.
I tried to create another backend above this one (using subordinate keyword) in order to host this root note but slapd always complain about the fact the suffix is defined twice.
Thank you very much for your help.
Michel
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
Michel,
michel.gruau schrieb am 11.04.2011 17:22 Uhr:
I am trying to configure an LDAP proxy towards 2 LDAP targets and I'm using the meta backend as follows:
database meta suffix ou=A,o=B,c=C uri ldap://server1/ou=S1,ou=A,o=B,c=C uri ldap://server2/ou=S2,ou=A,o=B,c=C
It is working fine except for one point : I'm unable to peform a base search on my root node "ou=A,o=B,c=C". It always respond with error code 32 (no such object).
Reading the man page slapd-meta, I understand this is the normal behaviour. But is there a mean to make this root suffix becoming à concrete node ? This point is mandatory for me as many of my client applications are looking for this entry.
IMHO the root object of your meta database is "ou=S1,ou=A,o=B,c=C" as defined in your config. So if on server1 and server2 ou=S1,ou=A,o=B,c=C exists (and you have read access to it) this will be your meta root object.
I tried to create another backend above this one (using subordinate keyword) in order to host this root note but slapd always complain about the fact the suffix is defined twice.
This will not work.
Marc
Not understood your answer Marc. The root object is what is defined in the "suffix" topic, this is true for every backend in my opinion. Does it mean that "meta" is the only backend type for which the object defined in "suffix" is purely virtual ? Michel
Message du 12/04/11 10:32 De : "Marc Patermann" A : "michel.gruau" Copie à : "openldap-technical openldap org" Objet : Re: Database meta does not have any root node
Michel,
michel.gruau schrieb am 11.04.2011 17:22 Uhr:
I am trying to configure an LDAP proxy towards 2 LDAP targets and I'm using the meta backend as follows:
database meta suffix ou=A,o=B,c=C uri ldap://server1/ou=S1,ou=A,o=B,c=C uri ldap://server2/ou=S2,ou=A,o=B,c=C
It is working fine except for one point : I'm unable to peform a base search on my root node "ou=A,o=B,c=C". It always respond with error code 32 (no such object).
Reading the man page slapd-meta, I understand this is the normal behaviour. But is there a mean to make this root suffix becoming à concrete node ? This point is mandatory for me as many of my client applications are looking for this entry.
IMHO the root object of your meta database is "ou=S1,ou=A,o=B,c=C" as defined in your config. So if on server1 and server2 ou=S1,ou=A,o=B,c=C exists (and you have read access to it) this will be your meta root object.
I tried to create another backend above this one (using subordinate keyword) in order to host this root note but slapd always complain about the fact the suffix is defined twice.
This will not work.
Marc
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
Not understood your answer Marc. The root object is what is defined in the "suffix" topic, this is true for every backend in my opinion. Does it mean that "meta" is the only backend type for which the object defined in "suffix" is purely virtual ?
Every object in the meta backend is virtual. Your configuration is hosed, because you state that the database is serving the naming context "ou=A,o=B,c=C", but then you configure URI directives to start serving the naming context from its leaves. If you want the root entry to be defined, you need to configure (at least) one URI to serve it. The "right" approach would be to configure exactly one URI to serve the root entry, and optionally use subtree-exclude or subtree-include to restrict the use of that URI's subtree. Something like
database meta suffix ou=A,o=B,c=C # ... uri ldap://server1/ou=A,o=B,c=C subtree-include "ou=S1,ou=A,o=B,c=C" #... uri ldap://server2/ou=S2,ou=A,o=B,c=C
should do the trick.
p.
Michel
Message du 12/04/11 10:32 De : "Marc Patermann" A : "michel.gruau" Copie à : "openldap-technical openldap org" Objet : Re: Database meta does not have any root node
Michel,
michel.gruau schrieb am 11.04.2011 17:22 Uhr:
I am trying to configure an LDAP proxy towards 2 LDAP targets and I'm using the meta backend as follows:
database meta suffix ou=A,o=B,c=C uri ldap://server1/ou=S1,ou=A,o=B,c=C uri ldap://server2/ou=S2,ou=A,o=B,c=C
It is working fine except for one point : I'm unable to peform a base search on my root node "ou=A,o=B,c=C". It always respond with error
code
32 (no such object).
Reading the man page slapd-meta, I understand this is the normal behaviour. But is there a mean to make this root suffix becoming à concrete node ? This point is mandatory for me as many of my client applications are looking for this entry.
IMHO the root object of your meta database is "ou=S1,ou=A,o=B,c=C" as defined in your config. So if on server1 and server2 ou=S1,ou=A,o=B,c=C exists (and you have read access to it) this will be your meta root object.
I tried to create another backend above this one (using subordinate keyword) in order to host this root note but slapd always complain
about
the fact the suffix is defined twice.
This will not work.
Marc
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
I managed to make it work but using subtree-exclude instead:
database meta suffix ou=A,o=B,c=C uri ldap://server1/ou=A,o=B,c=C subtree-exclude "ou=S2,ou=A,o=B,c=C" uri ldap://server2/ou=S2,ou=A,o=B,c=C
This way, requests to ou=S2,ou=A,o=B,c=C are not seen by server1. Which is exactlly what I wanted to do.
By the way, I don't understand why your solution does not work. But never mind.
Many thanks for your help because I was not aware of this possibility to use the subtree-{include|exclude}.
May be such an example could be added in slapd-meta man page ?
By the way, could you tell me how you understand this message on slapd startup ? "WARNING: No dynamic config support for database meta."
Michel
Every object in the meta backend is virtual. Your configuration is hosed, because you state that the database is serving the naming context "ou=A,o=B,c=C", but then you configure URI directives to start serving the naming context from its leaves. If you want the root entry to be defined, you need to configure (at least) one URI to serve it. The "right" approach would be to configure exactly one URI to serve the root entry, and optionally use subtree-exclude or subtree-include to restrict the use of that URI's subtree. Something like
database meta suffix ou=A,o=B,c=C # ... uri ldap://server1/ou=A,o=B,c=C subtree-include "ou=S1,ou=A,o=B,c=C" #... uri ldap://server2/ou=S2,ou=A,o=B,c=C
should do the trick.
p.
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
michel.gruau wrote:
I managed to make it work but using subtree-exclude instead:
database meta suffix ou=A,o=B,c=C uri ldap://server1/ou=A,o=B,c=C subtree-exclude "ou=S2,ou=A,o=B,c=C" uri ldap://server2/ou=S2,ou=A,o=B,c=C
This way, requests to ou=S2,ou=A,o=B,c=C are not seen by server1. Which is exactlly what I wanted to do.
By the way, I don't understand why your solution does not work. But never mind.
Many thanks for your help because I was not aware of this possibility to use the subtree-{include|exclude}.
subtree-exclude existed for a long time, and was documented in slapd-meta(5); subtree-include was added in 2.4.24
May be such an example could be added in slapd-meta man page ?
Feel free to submit a patch, or add an entry in the Faq-o-matic.
By the way, could you tell me how you understand this message on slapd startup ? "WARNING: No dynamic config support for database meta."
Back-meta does not support configuration via cn=config yet. It's on my todo list.
p.
subtree-exclude existed for a long time, and was documented in slapd-meta(5); subtree-include was added in 2.4.24
I tested your solution below with release 2.4.25. The result is that server1 is properly invoked when base is "ou=S1,ou=A,o=B,c=C" but it is not invoked when base is above (ou=A,o=B,c=C).
database meta suffix ou=A,o=B,c=C # ... uri ldap://server1/ou=A,o=B,c=C subtree-include "ou=S1,ou=A,o=B,c=C" #... uri ldap://server2/ou=S2,ou=A,o=B,c=C
Actually, I don't understand how subtree-include works. I also tried a few other solution using syntax dn.subtree and dn.children, but I had new problems.
Never mind, as subtree-exclude seems better for my need.
Michel
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
openldap-technical@openldap.org
-
Marc Patermann -
masarati@aero.polimi.it -
michel.gruau -
Pierangelo Masarati